af_iucv: fix oops in iucv_sock_recvmsg() for MSG_PEEK flag
If iucv_sock_recvmsg() is called with MSG_PEEK flag set, the skb is enqueued twice. If the socket is then closed, the pointer to the skb is freed twice. Remove the skb_queue_head() call for MSG_PEEK, because the skb_recv_datagram() function already handles MSG_PEEK (does not dequeue the skb). Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com> Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Hendrik Brueckner
David S. Miller
Родитель
bbe188c8f1
Коммит
60d3705fcb
|
|
@ -814,6 +814,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||||
|
|
||||||
target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
|
target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
|
||||||
|
|
||||||
|
/* receive/dequeue next skb:
|
||||||
|
* the function understands MSG_PEEK and, thus, does not dequeue skb */
|
||||||
skb = skb_recv_datagram(sk, flags, noblock, &err);
|
skb = skb_recv_datagram(sk, flags, noblock, &err);
|
||||||
if (!skb) {
|
if (!skb) {
|
||||||
if (sk->sk_shutdown & RCV_SHUTDOWN)
|
if (sk->sk_shutdown & RCV_SHUTDOWN)
|
||||||
|
|
@ -861,9 +863,7 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||||
iucv_process_message_q(sk);
|
iucv_process_message_q(sk);
|
||||||
spin_unlock_bh(&iucv->message_q.lock);
|
spin_unlock_bh(&iucv->message_q.lock);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
} else
|
|
||||||
skb_queue_head(&sk->sk_receive_queue, skb);
|
|
||||||
|
|
||||||
done:
|
done:
|
||||||
return err ? : copied;
|
return err ? : copied;
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче